Getty Images/iStockphoto

Majority of COVID-19 Contact Tracing Apps Lack Adequate Security

Guardsquare analyzed 17 global government COVID-19 contact tracing apps, including those from the US, finding most lacked sufficient security and pose a serious hacking risk.

The vast majority of government COVID-19 contact tracing apps from across the world, including the US, don’t employ sufficient security protections, making the apps easy targets for hackers, according to a report from Guardsquare.

Guardsquare assessed 17 Android mobile contact tracing apps from 17 different countries, including Europe, the Americas, and Asia-Pacific, using static and dynamic analysis. All apps were built by government entities, some supported by third-party contractors. Researchers noted it was not an exhaustive list, but designed to shed light into security flaws of these apps.

In the US, Google and Apple recently released a contact tracing API designed to support government agencies in creating their own contact tracing apps. The American Civil Liberties Union, a group of 200 scientists, Congress, and the Electronic Frontier Foundation have all warned of potential privacy and security issues posed by these apps.

Google and Apple were transparent about their policies and procedures designed to address some of these concerns, including sunsetting the data once the pandemic has ended. Despite those assurances, a group of 39 state attorneys general recently urged the tech giants to ensure their API is only used for its intended purpose: support for public health authorities.

But the new report from Guardsquare shows even if the app is used for its intended purposes, they're still riddled with a host of privacy and security concerns. The report found that most of these apps make it easy for hackers to decompile, attack, and even create fake clones of legitimate contact tracing apps.

As a result, the flaws will likely lead to security breaches, if they have not done so already.

Researchers analyzed the apps through two key categories: code hardening and run application self-protection (RASP). These were used as indicators for the level of in-app security implemented in the contact tracing apps.

The report found just 41 percent of these apps use root detection and or include some level of name obfuscation, while only 29 percent included string encryption. Just 18 percent included emulator detection, and 6 percent included asset or resource encryption, or included class encryption.

Only one contact tracing app was fully obfuscated and encrypted.

For the Americas, 100 percent included some level of name obfuscation, included string encryption, and used emulator detection. However, none of the apps included asset or resource encryption, class encryption, or root detection.

“While not an exhaustive list, these six hardening techniques are important for every mobile app,” researchers wrote. “For maximum security, mobile apps need to be protected by multiple layers of security, combining the listed techniques with code hardening like arithmetic obfuscation and control flow obfuscation, plus RASP techniques such as tamper detection and hook detection.”

“When security flaws are publicized, the whole app is suddenly distrusted and its utility wanes as users drop off,” they added. “Trust is key to success with contact tracing apps, but app makers unfortunately do not seem to be taking the risks seriously enough yet.”

Researchers stressed that if improperly secured, the apps pose serious privacy and security concerns -- particularly to user and location data. To close up these vulnerabilities, government apps must be built with a “privacy-by-design” approach, ensuring the core app code is properly shielded and user data is protected.

Root detection and emulator detection are crucial to identifying, stopping, and investigating hacking. Mobile apps must use a layered security approach, as well, including code hardening to protect code at rest and RASP to protect apps in use.

To be “truly bulletproof,” these apps need hook detection, tamper detection, and debugger detection, while employing real-time mobile threat intelligence and blocking or vulnerability management strategies.

The apps should also not gather certain types of information and should not store data for any length of time.

“Hacktivists, especially in places experiencing civil unrest, may also disrupt these apps—not to steal or expose data—but because they dislike the idea of government or other surveillance,” researchers concluded. “Clearly, there’s a lot at stake here. Properly securing contact tracing apps is not just a citizen privacy and security issue and a government trust issue. It’s a public health concern, as well.”

Next Steps

Dig Deeper on Health data threats